The best way to take control of Bitcoin? Rally other greedy “selfish miners”

New research says luring others with big returns could lead to Bitcoin dominance.

Researchers at Cornell University have published a paper detailing what they see as a vulnerability in Bitcoin's protocol. Ittay Eyal and Emin Gün Sirer of Cornell's Department of Computer Science say Bitcoin is vulnerable to "selfish mining"—an attack by one or more members of the Bitcoin network who try to computationally corner the supply of bitcoins and control their flow.

"This attack can have significant consequences for Bitcoin," Eyal and Sirer wrote. "Rational miners will prefer to join the selfish miners, and the colluding group will increase in size until it becomes a majority. At this point, the Bitcoin system ceases to be a decentralized currency."

The Bitcoin community has been discussing the possibility of this sort of attack, sometimes known as a "cartel" attack, for over three years. But the risk in the past has been largely downplayed for one simple reason: it would require an attacker to have more computing power at his or her disposal than the rest of the Bitcoin network combined. The Cornell researchers' paper outlines a new strategy to the attack that still would require control of a significant number of the "nodes" in Bitcoin's transaction processing network, but it takes a different route to control—exploiting the rational behavior (and greed) of other miners.

Hi ho, hi ho, it’s off to mine we go

Bitcoins are created, or "mined," by computers as they perform the cryptographic process of handling others' Bitcoin transactions and adding them to Bitcoin's "block chain"—a public record of previous Bitcoin transfers. The mining ensures that individuals can't re-use the same bitcoins they've previously spent, and those performing the mining are rewarded with bitcoins of their own. Transactions are normally doled out for processing randomly among the available mining "nodes."

Many of the attacks on traders in the Bitcoin currency have been your usual type of Internet skullduggery—malware, phishing, and hacking into Bitcoin "banks" to purloin others' bitcoins. Last year, hackers made off with $228,000 worth of bitcoins after knocking over the trading site Bitcoinica, gaining access to its Web host, and grabbing traders' whole "digital wallets" from the server.

But those who want the really big money—or just want to throw the entire Bitcoin economy into disarray—might want to find a way to break into the virtual treasury of the system by taking control of how bitcoins are minted. There have been many ways that would-be Bitcoin millionaires have tried to influence the flow of those transactions, including going as far as launching distributed denial of service attacks against other miners to keep them from advertising their availability to mine transactions.

"Selfish mining" takes the goal of redirecting Bitcoin traffic to a higher level by attempting to essentially take control of the entire network. In a selfish or cartel mining attack, a group of colluding miners keeps their own transactions within the nodes they control. When the group detects a transaction from outside the colluding pool, it publishes a previous version of the "block" the transaction is tied to all at the same time—essentially making its version the trusted one, rolling back the transaction, and keeping the person responsible for originally mining the transaction from claiming a Bitcoin reward.

This is possible because the current Bitcoin mining protocol calls for miners to only broadcast the first version of a transaction "block chain" it receives of a certain length. If the selfish pool manages to push out enough of its own versions of transactions to other nodes in the network, it will eventually overwhelm other miners' versions. That would give the colluding miners control of the network and deliver all Bitcoin rewards for mining to themselves.

The possibility of "selfish miner" attacks has been known for some time, but they've generally been dismissed as impractical for a simple reason: you'd need an inordinate amount of computing power to pull it off. In order to gain control of the flow of created bitcoins and get the network to reject all of the blocks created by other miners, the attackers would need to have more computing power than the rest of the miners in the Bitcoin network combined—at least 51 percent of the computing power in the community.

Still, cartels of miners could take more than their fair share of bitcoins with control of much smaller portions of the Bitcoin network. Some simulations by members of the Bitcoin community have shown that control of as little as 15 percent of the network could pay off with out-of-proportion returns.

And it’s that sort of impact that provides the tipping point for the attack outlined by Eyal and Sirer. It uses the economic incentives that come with being part of a colluding cartel of coin miners to lure otherwise honest Bitcoin miners into the fray. The scheme offers them a bigger payout as a result of their collusion, making it rationally irresistible once the cartel reaches a size of about 25 percent of the Bitcoin network. As the paper describes it:

Above a certain threshold size the revenue of a selfish pool rises superlinearly with pool size above its revenue with the honest strategy. Once a selfish mining pool reaches the threshold, rational miners will preferentially join selfish miners to reap the higher revenues compared to other pools. Such a selfish mining pool will quickly grow to become a majority, at which point the pool will be the only creator of blocks, the decentralized nature of the currency will collapse, and a single entity, the selfish pool manager, will control the system.

The researchers also found that attackers needed far less than 51 percent of the nodes in the network under their command to reach a point where they could control the system. Under the current protocol for Bitcoin, they found controlling a third of the network is sufficient to gain control.

Weighing the risk

The change Eyal and Sirer propose isn't a drastic rewrite of the system, and it should be backward compatible with existing Bitcoin mining software. Instead of processing just the first version of a block chain received, the new protocol would have miners select from multiple versions of the block chain at random. That would put the threshold for control back at over 50 percent, they asserted, and it makes cornering the Bitcoin market impractical for all but the biggest attacker (such as someone with a state-funded supercomputing environment).

Some in the Bitcoin community remain skeptical of the attack threat, particularly because it would require the cartel attacking the system to essentially announce its intentions to other miners to bring them into their pool.

Developers behind the Bitcoin network—many of whom work under the aegis of The Bitcoin Foundation, which maintains the standard for the protocol in question—are still assessing the risk as posed in the paper. Bitcoin Foundation chief scientist Gavin Anderson told IDG News Service that he believes the consensus in the end will be that the threat doesn't warrant a change. As he sees it, this attack, even with the lower threshold proposed by the Cornell researchers, simply is not technically practical.